Setting up Openbsd as a router is really easy and the documentation at Openbsd.com was really good except there was a missing piece of information that eluded me and therefore i spent hours and hours searching and finally i was able to setup the box as a Openbsd Router..
Maybe i don't know how to read the FAQ but it was not clearly given.
(scroll to the end to find what i was missing .. Once i did that it worked like
a charm)
My OpenBsd box
- Pentium dual core - Dell optiplex 755 small factor
- 2 Gigabit ethernet nics - one built in and other a PCI card
- 160 GB Hard drive
- 4Gb memory
Openbsd 5.6
$ ifconfig -a
lo0: flags=8049 mtu 32768
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
em0: flags=28843 mtu 1500
lladdr 00:1a:a0:7e:df:b7
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause)
status: active
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
re0: flags=28843 mtu 1500
lladdr 00:e0:4c:69:1b:d9
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
enc0: flags=20000
priority: 0
groups: enc
status: active
pflog0: flags=20141 mtu 33144
priority: 0
groups: pflog
$
Here em0 is the internet facing nic and re0 is the internal lan facing nic
My configuration files:
/etc/dhcpd.conf
option domain-name-servers 10.0.0.1 , 68.238.64.12;
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
range 10.0.0.2 10.0.0.128;
host server {
fixed-address 10.0.0.21;
hardware ethernet 00:25:64:EE:DD:52;
}
}
$ cat rc.conf.local
dhcpd_flags="re0"
$
$ cat sysctl.conf
net.inet.ip.forwarding=1
$
$ cat hostname.re0
inet 10.0.0.1 255.255.255.0 NONE
$ cat hostname.em0
dhcp
$
$ cat resolv.conf
# Generated by em0 dhclient
search home
nameserver 192.168.1.1
lookup file bind
$
/etc/mygate file does not exist.. (was not created during the install.. nor i created it later at any point)
resolv.conf is automatically created during the OpenBSD install when u
setup the dhcp on the em0 interface.
This is all that has to be done per documentation and Openbsd should work as a router..
The problem is the clients are able to get the dhcp information and are able to ping the lan nic but cannot connect to internet. I wondered why.. sysctl.conf was configured correctly to set the box as a forwarding gateway.
I disabled PF and still could not connect to the internet. Enabling or disabling PF had no effect.
The missing piece :
Thanks to bsd now "Episode 011: The Gateway Drug" video it showed how to correctly setup a openbsd router.
What I was not getting was that a pf.conf entry and that PF should be setup for firewall.
(ie setup NAT i suppose)..
so problem solved. Now i could connect to internet. I used the default pf.conf that came with the install and just added this entry.
pf.conf below:
# cat pf.conf
# $OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# increase default state limit from 10'000 states on busy systems
#set limit states 100000
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
block return # block stateless traffic
pass # establish keep-state
# rules for spamd(8)
#table persist
#table persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from to any port smtp
#pass in log on egress proto tcp from to any port smtp
#pass out log on egress proto tcp to any port smtp
pass out on em0 inet from re0:network to any nat-to em0
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
#
Next I need to learn PF so that i understand what each line above is doing and much more...
Maybe i don't know how to read the FAQ but it was not clearly given.
(scroll to the end to find what i was missing .. Once i did that it worked like
a charm)
My OpenBsd box
- Pentium dual core - Dell optiplex 755 small factor
- 2 Gigabit ethernet nics - one built in and other a PCI card
- 160 GB Hard drive
- 4Gb memory
Openbsd 5.6
$ ifconfig -a
lo0: flags=8049
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
em0: flags=28843
lladdr 00:1a:a0:7e:df:b7
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause)
status: active
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
re0: flags=28843
lladdr 00:e0:4c:69:1b:d9
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
enc0: flags=20000
priority: 0
groups: enc
status: active
pflog0: flags=20141
priority: 0
groups: pflog
$
Here em0 is the internet facing nic and re0 is the internal lan facing nic
My configuration files:
/etc/dhcpd.conf
option domain-name-servers 10.0.0.1 , 68.238.64.12;
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
range 10.0.0.2 10.0.0.128;
host server {
fixed-address 10.0.0.21;
hardware ethernet 00:25:64:EE:DD:52;
}
}
$ cat rc.conf.local
dhcpd_flags="re0"
$
$ cat sysctl.conf
net.inet.ip.forwarding=1
$
$ cat hostname.re0
inet 10.0.0.1 255.255.255.0 NONE
$ cat hostname.em0
dhcp
$
$ cat resolv.conf
# Generated by em0 dhclient
search home
nameserver 192.168.1.1
lookup file bind
$
/etc/mygate file does not exist.. (was not created during the install.. nor i created it later at any point)
resolv.conf is automatically created during the OpenBSD install when u
setup the dhcp on the em0 interface.
This is all that has to be done per documentation and Openbsd should work as a router..
The problem is the clients are able to get the dhcp information and are able to ping the lan nic but cannot connect to internet. I wondered why.. sysctl.conf was configured correctly to set the box as a forwarding gateway.
I disabled PF and still could not connect to the internet. Enabling or disabling PF had no effect.
The missing piece :
Thanks to bsd now "Episode 011: The Gateway Drug" video it showed how to correctly setup a openbsd router.
What I was not getting was that a pf.conf entry and that PF should be setup for firewall.
The pf.conf entry that did the trick was
pass out on em0 inet from re0:network to any nat-to em0pass out on em0 inet from re0:network to any nat-to em0
(ie setup NAT i suppose)..
so problem solved. Now i could connect to internet. I used the default pf.conf that came with the install and just added this entry.
pf.conf below:
# cat pf.conf
# $OpenBSD: pf.conf,v 1.53 2014/01/25 10:28:36 dtucker Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# increase default state limit from 10'000 states on busy systems
#set limit states 100000
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
block return # block stateless traffic
pass # establish keep-state
# rules for spamd(8)
#table
#table
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from
#pass in log on egress proto tcp from
#pass out log on egress proto tcp to any port smtp
pass out on em0 inet from re0:network to any nat-to em0
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
#
Next I need to learn PF so that i understand what each line above is doing and much more...
No comments:
Post a Comment